Archive

The awareness of using strong passwords has significantly improved over the last few years thanks to the efforts taken by many security organizations and websites. Even a lay-man today knows that it’s important to have a strong password to thwart hacking attempts.

Unfortunately, these organizations and websites fail to mention that security of a member’s account is the responsibility of the user AND the organization that stores the password. As a result, whenever hundreds to thousands of passwords are stolen by hackers, some website managers find it convenient to blame the users for the password theft. Although mass password thefts are generally caused by phishing (in which case the user is at fault), a small percentage of it is caused by stealing or hacking the website database. Sometimes, organizations release member information to third-party companies or partner websites, which is fine as long as they take certain safety measures. As you can imagine, not everyone does this which means that the host website is also a potential point of failure.

I shall explain by providing a couple of examples and shall conclude with a test procedure that you can use to detect if a website is storing your passwords securely.

Please note that this article is only concerned with password storage and ignores security measures and breaches due to other factors.

Eg1 : Plain, Simple and Visible

This technique stores all data in plaintext. Hence, all the passwords and data are visible to anyone who has access to the database table. You don’t even need to hack the database to gain access to such information. Some employees of the organization storing this data have access to the database legally and can steal passwords if they wish. Although it’s fairly obvious that storing data in plaintext is asking for trouble, it’s popular among students and other people due to the ease of implementation.

Areas where this technique is prevalent:

Web applications written by students.

Websites belonging to Small and Medium Businesses (SMB).

Websites of startups. (Hardly any startups do this anymore which is a good sign)

Eg2 : Secure Passwords, Open Data

Passwords, in this case, are stored as a computed one-time hash. This prevents them from being reversed into their original form and in essence, protects the password from being recovered in the event of a security breach. Employees who have genuine access to the database can view your data but have no idea about your password. This is desirable in certain situations where member information needs to be visible to the employees as the password remains a secret known only to the member.

Areas where this technique is prevalent:

Web applications written by (smarter) students.

Startups and other SMBs.

Online Forums.

Eg3: Secure Data and Passwords

In this case, only the primary key is left unencrypted while every other field is encrypted using a reasonably long key. This makes locating entries in the database easy and protects the user’s information. Partner websites do not have direct access to the data and instead use intermediate accessor-functions to access data. A database hack would still protect user information unlike the previous methods.

There are several variations that are more secure which employ various techniques such as:

Encrypt everything and use lookup tables with hashes to access data.

Distribute data across multiple databases.

Distribute data across multiple databases that use different encryption schemes.

…many many more which are far more complex and more secure by several degrees…

Areas where this technique is prevalent:

Banks

e-commerce Websites

Government and Military Organizations

Aside from these techniques, there’s an interesting myth on which I’d like to throw some light.

Websites that use HTTPS

A website that uses HTTPS using SSL/TLS only guarantees that data transmission between the user and the website cannot be intercepted by eavesdropping attacks. This does not say anything about how the data is stored at server-side. Hence, data stored on a website that uses the HTTPS protocol is still unsecure if it employs the storage method demonstrated in Example1.

How to Find Out If a Website Stores Your Password in Plaintext?

Follow these simple steps to find out if a website hashes your password or not.

Register as a new member on the website in question. If you already have an account, skip this step.

Click ‘Forgot Password’ on the login page of the website.

Follow the instructions to recover your password. (usually you would enter your email address or answer your secret question depending on the website)

If your old password is revealed on screen or in the ‘password recovery’ email, the password is stored in plain-text, which means your password can be stolen in the event of a server-side security breach.

If you are asked to click a ‘Password Reset’ link or enter a new password directly (this is website-dependent), the website stores your password as a hashed value and your password is safe from being stolen if the website gets hacked. (In this case, your old password can’t be shown to you because a hashed value cannot be converted into its original form)

I hope this article has helped you realize that having a strong password is pointless if the website that you use it for stores it in plaintext.

Update:rootkit.com got hacked on March 3rd, 2011 (see here and here) and had all its users’ account passwords stolen since all the user passwords were stored in plaintext. It’s disappointing that someone as accomplished as Greg Hoglund (whose book on Rootkits still remains one of my favourites) used passwords stored as plaintext on his website. A security firm headed by a security researcher making such a basic mistake is simply unforgivable. I hope you won’t make the same mistake.
Update:Microsoft India got hacked on February 12th, 2012 and had all user account passwords stolen (see here) because they were stored in plaintext. One would think that at least Microsoft would know how to store passwords. Sigh.